ghsa-jqh6-r2gj-x2xp
Vulnerability from github
Published
2025-12-24 15:30
Modified
2025-12-24 15:30
Details

In the Linux kernel, the following vulnerability has been resolved:

f2fs: Fix system crash due to lack of free space in LFS

When f2fs tries to checkpoint during foreground gc in LFS mode, system crash occurs due to lack of free space if the amount of dirty node and dentry pages generated by data migration exceeds free space. The reproduction sequence is as follows.

  • 20GiB capacity block device (null_blk)
  • format and mount with LFS mode
  • create a file and write 20,000MiB
  • 4k random write on full range of the file

RIP: 0010:new_curseg+0x48a/0x510 [f2fs] Code: 55 e7 f5 89 c0 48 0f af c3 48 8b 5d c0 48 c1 e8 20 83 c0 01 89 43 6c 48 83 c4 28 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc <0f> 0b f0 41 80 4f 48 04 45 85 f6 0f 84 ba fd ff ff e9 ef fe ff ff RSP: 0018:ffff977bc397b218 EFLAGS: 00010246 RAX: 00000000000027b9 RBX: 0000000000000000 RCX: 00000000000027c0 RDX: 0000000000000000 RSI: 00000000000027b9 RDI: ffff8c25ab4e74f8 RBP: ffff977bc397b268 R08: 00000000000027b9 R09: ffff8c29e4a34b40 R10: 0000000000000001 R11: ffff977bc397b0d8 R12: 0000000000000000 R13: ffff8c25b4dd81a0 R14: 0000000000000000 R15: ffff8c2f667f9000 FS: 0000000000000000(0000) GS:ffff8c344ec80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000c00055d000 CR3: 0000000e30810003 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: allocate_segment_by_default+0x9c/0x110 [f2fs] f2fs_allocate_data_block+0x243/0xa30 [f2fs] ? __mod_lruvec_page_state+0xa0/0x150 do_write_page+0x80/0x160 [f2fs] f2fs_do_write_node_page+0x32/0x50 [f2fs] __write_node_page+0x339/0x730 [f2fs] f2fs_sync_node_pages+0x5a6/0x780 [f2fs] block_operations+0x257/0x340 [f2fs] f2fs_write_checkpoint+0x102/0x1050 [f2fs] f2fs_gc+0x27c/0x630 [f2fs] ? folio_mark_dirty+0x36/0x70 f2fs_balance_fs+0x16f/0x180 [f2fs]

This patch adds checking whether free sections are enough before checkpoint during gc.

[Jaegeuk Kim: code clean-up]

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-54151"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-24T13:16:17Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: Fix system crash due to lack of free space in LFS\n\nWhen f2fs tries to checkpoint during foreground gc in LFS mode, system\ncrash occurs due to lack of free space if the amount of dirty node and\ndentry pages generated by data migration exceeds free space.\nThe reproduction sequence is as follows.\n\n - 20GiB capacity block device (null_blk)\n - format and mount with LFS mode\n - create a file and write 20,000MiB\n - 4k random write on full range of the file\n\n RIP: 0010:new_curseg+0x48a/0x510 [f2fs]\n Code: 55 e7 f5 89 c0 48 0f af c3 48 8b 5d c0 48 c1 e8 20 83 c0 01 89 43 6c 48 83 c4 28 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc \u003c0f\u003e 0b f0 41 80 4f 48 04 45 85 f6 0f 84 ba fd ff ff e9 ef fe ff ff\n RSP: 0018:ffff977bc397b218 EFLAGS: 00010246\n RAX: 00000000000027b9 RBX: 0000000000000000 RCX: 00000000000027c0\n RDX: 0000000000000000 RSI: 00000000000027b9 RDI: ffff8c25ab4e74f8\n RBP: ffff977bc397b268 R08: 00000000000027b9 R09: ffff8c29e4a34b40\n R10: 0000000000000001 R11: ffff977bc397b0d8 R12: 0000000000000000\n R13: ffff8c25b4dd81a0 R14: 0000000000000000 R15: ffff8c2f667f9000\n FS: 0000000000000000(0000) GS:ffff8c344ec80000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000c00055d000 CR3: 0000000e30810003 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n allocate_segment_by_default+0x9c/0x110 [f2fs]\n f2fs_allocate_data_block+0x243/0xa30 [f2fs]\n ? __mod_lruvec_page_state+0xa0/0x150\n do_write_page+0x80/0x160 [f2fs]\n f2fs_do_write_node_page+0x32/0x50 [f2fs]\n __write_node_page+0x339/0x730 [f2fs]\n f2fs_sync_node_pages+0x5a6/0x780 [f2fs]\n block_operations+0x257/0x340 [f2fs]\n f2fs_write_checkpoint+0x102/0x1050 [f2fs]\n f2fs_gc+0x27c/0x630 [f2fs]\n ? folio_mark_dirty+0x36/0x70\n f2fs_balance_fs+0x16f/0x180 [f2fs]\n\nThis patch adds checking whether free sections are enough before checkpoint\nduring gc.\n\n[Jaegeuk Kim: code clean-up]",
  "id": "GHSA-jqh6-r2gj-x2xp",
  "modified": "2025-12-24T15:30:40Z",
  "published": "2025-12-24T15:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54151"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ce71c61d661cfac3f097af928995abfcebd2b8c5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d11cef14f8146f3babd286c2cc8ca09c166295e2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f4631d295ae3fff9e240ab78dc17f4b83d14f7bc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.